User-Agent Based Access Control for DLNA Devices Mohammad Zuberul Islam, Md. Mahmud Hossain, Samiul Haque, Jutheka Lahiry, Shyam Akhter Bonny and Mohammed Nazim Uddin Samsung R&D Institute, Bangladesh Dhaka, Bangladesh Abstract—DLNA based media sharing is very popular nowadays. In current DLNA specification, a DLNA device ad- vertises its presence to everyone in the network. Any control point application receiving the advertisement can access/control the device. However, with increasing popularity and availability of public Wi-Fi hotspots, it is necessary for devices to have some sort of access control. DLNA specification has no mandatory authentication procedure. So a device receiving a request from any unwanted control point cannot block/verify its access. The UPnP recommended authentication procedure is computationally expensive and complex for most personal devices. So, in this paper we propose a simple User-Agent based access control system that is effective to protect devices from unwanted control point applications. Keywords—DLNA, UPnP, Access Control, User-Agent, Media Man- agement, Content Sharing, Media Server, Media Renderer I. I NTRODUCTION The main objective of Digital Living Network Alliance (DLNA) [1] certified devices is to establish an infrastructure to provide a seamless environment for sharing digital media and content services. But the absence of access-control in a DLNA device is a major concern when the user is connected to a public network. Let us check the problem in a real life scenario - Alice and Bob are having a chit-chat at the cheese-cake factory. Now Bob has some personal video contents in his Galaxy S4 device that he wants to share with Alice. So Bob starts his Digital Media Server (DMS) application and asks Alice to check it from the gallery application of her S4. The gallery application is a DLNA Control Point (CP). However Chuck (who is a potential enemy of Bob) has a Galaxy Note 2 which unfortunately is also a CP. Now as per DLNA specification there is no way for Bob to block Chuck’s device and allow Alice’s device to access his videos. From the scenario, it is evident that a complex or heavy authentication procedure is not necessary. A simple way to allow or deny a device is expected with minimum user involvement. So we propose a mechanism to control access to a device based on HTTP User-Agent. The approach is easy to implement and can co-work with any DLNA CP. The paper is organized as follows. Section II presents the related works on DLNA access control. The overview of our proposed system is analysed in section III. Then the process flow of the system is shown in section IV. Section V discusses the computational complexity. Implementation of the proposed system is described in section VI and finally we conclude our work in section VII. II. RELATED WORKS Lack of specific security standard in DLNA has drawn at- tention of researchers for finding suitable security mechanisms to protect DLNA devices from unauthorized access/control. DLNA devices use UPnP for communication and service discovery in various environments [2]. Security and vulner- ability issues of UPnP architecture are addressed in [3] as it is not mandatory to implement device security templates in UPnP enabled devices. Usually access control is accorded with severe security problems occurred in UPnP enabled devices. Key based (Shared Symmetric Key, Public Key) home device authentication is outlined in [4] where a home device can verify other device through mutually shared certificate and hence can communicate with each other securely. Moreover the concept of delegation server and Certification Authority (CA) makes the idea complex for personal home devices. An autonomic security model for home network is proposed in [5] where a combination of symmetric cryptography and asymmetric cryptography is used. Here symmetric cryptog- raphy belongs to light duty devices (i.e. devices requiring low processing power) and asymmetric cryptography belongs to heavy duty devices (i.e. devices requiring high processing power). An intricate access control model is proposed in [6], which includes Programmable Recognition Module (PRM) [7] and Trust Engine, where the identification of device or user is first validated using PRM and then access permission is granted based on that device’s or user’s trust level. New UPnP Security considers Access Control List (ACL) [8] to simplify security mechanism. But a great deal of ACL editing is required when there exists a large number of CPs or a large number of subjects. A global content sharing home gateway is introduced in [9] which uses DLNA agent for Social Network Services (SNS), where the access control support from social network web services is used. III. SYSTEM OVERVIEW Establishing a protection level within DLNA devices based on device owner’s decision is the main objective of the pro- posed Access Control System (ACS). As configuring complex security rules is not desired our User-Agent based protection 978-1-4799-2442-4/13/$31.00 c 2013 IEEE